berbew | 56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcd

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe
Size

89KB
MD5

d639e58a8cf4dcc6d5e3959eb937ef70
SHA1

e8d232d3664467370347a29d5332a20b089a9f3a
SHA256

56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcd
SHA512

962f0351766d3073ecfeb078663b6325f59dcdab5e889d8075358715a5c3c40c57b990d20d68f516ccf55d0002aff17cff89e80488ba6f03b97908ddc0db3077
SSDEEP

1536:kcmGS8ZF1QU5fZWrifbmsCIK282c8CPGCECa9bC7e3iaqWpOBMD:QrWTH5fwifbmhD28Qxnd9GMHqW/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3392	Nlmllkja.exe
2328	Nphhmj32.exe
1500	Ncfdie32.exe
4284	Njqmepik.exe
1080	Npjebj32.exe
1808	Ndfqbhia.exe
5040	Ngdmod32.exe
4652	Nfgmjqop.exe
4416	Nlaegk32.exe
2868	Ndhmhh32.exe
2432	Nfjjppmm.exe
1588	Olcbmj32.exe
2768	Ocnjidkf.exe
452	Oflgep32.exe
3300	Oncofm32.exe
1056	Opakbi32.exe
1908	Ogkcpbam.exe
5076	Ojjolnaq.exe
696	Olhlhjpd.exe
2452	Odocigqg.exe
1864	Ognpebpj.exe
2600	Onhhamgg.exe
3748	Ogpmjb32.exe
3380	Olmeci32.exe
4112	Ogbipa32.exe
1240	Pmoahijl.exe
4988	Pcijeb32.exe
3040	Pfhfan32.exe
4564	Pdifoehl.exe
4344	Pjeoglgc.exe
3556	Pdkcde32.exe
3632	Pjhlml32.exe
3768	Pqbdjfln.exe
2060	Pfolbmje.exe
2920	Pnfdcjkg.exe
4608	Pqdqof32.exe
3284	Pgnilpah.exe
2220	Pjmehkqk.exe
2688	Qmkadgpo.exe
1220	Qceiaa32.exe
3168	Qjoankoi.exe
2496	Qmmnjfnl.exe
2284	Qddfkd32.exe
4856	Qffbbldm.exe
3264	Ampkof32.exe
4464	Aqkgpedc.exe
1952	Ageolo32.exe
836	Ajckij32.exe
4832	Ambgef32.exe
3116	Aclpap32.exe
5056	Ajfhnjhq.exe
904	Amddjegd.exe
4268	Aeklkchg.exe
4640	Afmhck32.exe
4328	Andqdh32.exe
804	Aeniabfd.exe
2608	Afoeiklb.exe
4424	Anfmjhmd.exe
5072	Aminee32.exe
3676	Bfabnjjp.exe
3232	Bmkjkd32.exe
3512	Bagflcje.exe
4072	Bfdodjhm.exe
3916	Bnkgeg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5868	5768	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3392	4296	56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe	83
PID 4296 wrote to memory of 3392	4296	56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe	83
PID 4296 wrote to memory of 3392	4296	56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe	83
PID 3392 wrote to memory of 2328	3392	Nlmllkja.exe	84
PID 3392 wrote to memory of 2328	3392	Nlmllkja.exe	84
PID 3392 wrote to memory of 2328	3392	Nlmllkja.exe	84
PID 2328 wrote to memory of 1500	2328	Nphhmj32.exe	86
PID 2328 wrote to memory of 1500	2328	Nphhmj32.exe	86
PID 2328 wrote to memory of 1500	2328	Nphhmj32.exe	86
PID 1500 wrote to memory of 4284	1500	Ncfdie32.exe	87
PID 1500 wrote to memory of 4284	1500	Ncfdie32.exe	87
PID 1500 wrote to memory of 4284	1500	Ncfdie32.exe	87
PID 4284 wrote to memory of 1080	4284	Njqmepik.exe	89
PID 4284 wrote to memory of 1080	4284	Njqmepik.exe	89
PID 4284 wrote to memory of 1080	4284	Njqmepik.exe	89
PID 1080 wrote to memory of 1808	1080	Npjebj32.exe	90
PID 1080 wrote to memory of 1808	1080	Npjebj32.exe	90
PID 1080 wrote to memory of 1808	1080	Npjebj32.exe	90
PID 1808 wrote to memory of 5040	1808	Ndfqbhia.exe	91
PID 1808 wrote to memory of 5040	1808	Ndfqbhia.exe	91
PID 1808 wrote to memory of 5040	1808	Ndfqbhia.exe	91
PID 5040 wrote to memory of 4652	5040	Ngdmod32.exe	92
PID 5040 wrote to memory of 4652	5040	Ngdmod32.exe	92
PID 5040 wrote to memory of 4652	5040	Ngdmod32.exe	92
PID 4652 wrote to memory of 4416	4652	Nfgmjqop.exe	93
PID 4652 wrote to memory of 4416	4652	Nfgmjqop.exe	93
PID 4652 wrote to memory of 4416	4652	Nfgmjqop.exe	93
PID 4416 wrote to memory of 2868	4416	Nlaegk32.exe	94
PID 4416 wrote to memory of 2868	4416	Nlaegk32.exe	94
PID 4416 wrote to memory of 2868	4416	Nlaegk32.exe	94
PID 2868 wrote to memory of 2432	2868	Ndhmhh32.exe	96
PID 2868 wrote to memory of 2432	2868	Ndhmhh32.exe	96
PID 2868 wrote to memory of 2432	2868	Ndhmhh32.exe	96
PID 2432 wrote to memory of 1588	2432	Nfjjppmm.exe	97
PID 2432 wrote to memory of 1588	2432	Nfjjppmm.exe	97
PID 2432 wrote to memory of 1588	2432	Nfjjppmm.exe	97
PID 1588 wrote to memory of 2768	1588	Olcbmj32.exe	98
PID 1588 wrote to memory of 2768	1588	Olcbmj32.exe	98
PID 1588 wrote to memory of 2768	1588	Olcbmj32.exe	98
PID 2768 wrote to memory of 452	2768	Ocnjidkf.exe	99
PID 2768 wrote to memory of 452	2768	Ocnjidkf.exe	99
PID 2768 wrote to memory of 452	2768	Ocnjidkf.exe	99
PID 452 wrote to memory of 3300	452	Oflgep32.exe	100
PID 452 wrote to memory of 3300	452	Oflgep32.exe	100
PID 452 wrote to memory of 3300	452	Oflgep32.exe	100
PID 3300 wrote to memory of 1056	3300	Oncofm32.exe	101
PID 3300 wrote to memory of 1056	3300	Oncofm32.exe	101
PID 3300 wrote to memory of 1056	3300	Oncofm32.exe	101
PID 1056 wrote to memory of 1908	1056	Opakbi32.exe	102
PID 1056 wrote to memory of 1908	1056	Opakbi32.exe	102
PID 1056 wrote to memory of 1908	1056	Opakbi32.exe	102
PID 1908 wrote to memory of 5076	1908	Ogkcpbam.exe	103
PID 1908 wrote to memory of 5076	1908	Ogkcpbam.exe	103
PID 1908 wrote to memory of 5076	1908	Ogkcpbam.exe	103
PID 5076 wrote to memory of 696	5076	Ojjolnaq.exe	104
PID 5076 wrote to memory of 696	5076	Ojjolnaq.exe	104
PID 5076 wrote to memory of 696	5076	Ojjolnaq.exe	104
PID 696 wrote to memory of 2452	696	Olhlhjpd.exe	105
PID 696 wrote to memory of 2452	696	Olhlhjpd.exe	105
PID 696 wrote to memory of 2452	696	Olhlhjpd.exe	105
PID 2452 wrote to memory of 1864	2452	Odocigqg.exe	106
PID 2452 wrote to memory of 1864	2452	Odocigqg.exe	106
PID 2452 wrote to memory of 1864	2452	Odocigqg.exe	106
PID 1864 wrote to memory of 2600	1864	Ognpebpj.exe	107

C:\Users\Admin\AppData\Local\Temp\56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe
"C:\Users\Admin\AppData\Local\Temp\56edc1d475e80ea70dbfccef6450a1cb40b2ea2444f6f9cf09de4eac92923dcdN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\Nlmllkja.exe
  C:\Windows\system32\Nlmllkja.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\Nphhmj32.exe
    C:\Windows\system32\Nphhmj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Ncfdie32.exe
      C:\Windows\system32\Ncfdie32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        44⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        72⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        79⤵
        
        PID:360
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        87⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2016
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1600
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        102⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        103⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        105⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 212
        111⤵
        Program crash
        
        PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5768 -ip 5768
1⤵
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
89KB

MD5
eda60827abf5786241e3263e3c06011a

SHA1
1c75a107ed77ad367944120655588ae46978cb62

SHA256
4d868053ee10cb087e4aff6636a856164742839349339cc0d8843ad40c855878

SHA512
6c62ce110a9c749e4cc1be8bc650eed43570b09acaf3fda51cd239c2cd8de9a5670de11636c8bb12c00a642eaf01e12948ef5fe2d278acc89aa2274e0a4388d7

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
89KB

MD5
a31b0e517e070fd3d45bfb9965f23442

SHA1
af37741eeda5072ff186f82ab727f37420a8c7a7

SHA256
c9831d799e98888f8cf37faa96d9bf16d318455d80344794a27da01c4099ab89

SHA512
9a0a2e21568cf9ebad41ba870e5fa10d8677f5e8247b24a8634d6f70b0b89d295f2ea8ee187c95541bb37aab4b0001b2a42ede467f3ffe06da383c2e7fd04aa1

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
89KB

MD5
09b9308cb68cfd2e45e4d1db2e8e9f3f

SHA1
d5c58ca1054bc3b1710bd30e03184838e08f00cc

SHA256
24b9fca68aad1d6fd3228b0be3e00bf2a0cb6213cb7279d9ac11bf7bdfc3fe04

SHA512
facc404a3f5b932cf7de99779e2545d9035bc2313f6782eed6db00feb68df38a378d030a7e5e11b743973bb4b33340f7fbcb994ef6d38d904b01e00485c23fed

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
89KB

MD5
2550b732a1a6e60b3a0119c09cc2f4c6

SHA1
fc9ee71861b9362c12d4071f87bedb68bcc80fa4

SHA256
93414f56788332fbab57e7374644dad4964ff0bd828c4611d3d4c5d377e5ca4e

SHA512
a9434699cd619a76e68e0003010a69a7eaf4c90c87e02df53ce07892947f617e3a1c85514ccef1011a4c1326aa264f224386cef634cbfc0a5073ede7a96a2c79

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
89KB

MD5
70f9fe02f0b1d8e11a4829308bb3a6c2

SHA1
3cc62b514b7c7a7d3cbed73cb46a6d3af5faed55

SHA256
a4afa778582a144c1befb69cbe3e4def594e9e0a4225c7fa17205de9a04f8d36

SHA512
3d7c7178bce881f1e8aa6e4ea6167b6b3984b3fe1766a4c96ff94ce3e88020d12f43c5eb46911c18dde7b55bfff501085f3df92ad36e420055173e27f7a494db

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
89KB

MD5
d790987133159b937ae13b3cf201d05d

SHA1
0ec5bdb37c535323c5c90d5cd9f35348542dddde

SHA256
d02e881f7a66b09c8b6eeeef9511d8d15d7316732a5560b31e2db07b375a43b5

SHA512
e5e1975eecc8786263fd0345132f581a5188cb148bfcabd2e1387205a3d81f33cfbddb6c7440885d71e89d6fe98d3cbd621e9832f559c84138da5e7e36fb3f95

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
89KB

MD5
d9efe3d189c422ee82ab179645a1b779

SHA1
150ee842cf716ea35fb10b7fd92220ad523ae186

SHA256
d8f82071ff550cd0d6b2db7a510644eac812fc95ef09f4370c05d06a6e50e35b

SHA512
8dea02f8c3cd97a89aaff3b2dda734907b7267a524dbb74811dcf8ce5cb1db3146b25ee0d525bb5209be75f14c3f2037a6bd35f7a4343c6d6a3ecef4ba482d70

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
89KB

MD5
ea05e7f0214ec1473dbc3bd3be4885d7

SHA1
57ea80fff12408023bb4f12340cf5595d9c2d844

SHA256
772a5ca766a7fc25dfa92f8dc5ab6860a8b26a4e68c2e15a88250153cb76091a

SHA512
280d6aa06a5f6fd084e333367a19f0fffea0ebddf003583e698bfba478d16aaa2885e8ee0537d44452081fffd0bca35778a97974c6641a3341523889351a1a49

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
89KB

MD5
ed4244d1c095a66b0cbd90aca98189d9

SHA1
3376e0539c569caddc4548108a78d3c30e519ef5

SHA256
fdbf8d9982f7a1bbe38c66b774dddabb2ba593890779b6cf4e252c469b2b579f

SHA512
86989b6dc8362f55ac2979e329999aab84f9c06ca28eaf3b344d3f33e648013133c9e783bec16047beacb795545475c36eae148beb06e85b53cfb8c24f7879b0

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
89KB

MD5
0c4bbd87ab7d3b38e286a2b98a424561

SHA1
f4769f91286f42e5655805394fba80a9dffd11d5

SHA256
70ac8614f4b8efcae6ae65ed5aac5ad3c6ab430c2f462dde2904e305ace3bdfd

SHA512
cb0d376eff1de5bcc2945f6d3bd89cc9d12830a440d57fb502a8de0184f1a3f10c79a7817246f1b3696c9b96629ee56cf3227fa56854aed82d6723029cee8bdf

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
89KB

MD5
f4da6742c8f72be597670cf31ff10e91

SHA1
76477a787d643d1b0577fc8511de11f9e2bc59f1

SHA256
85ed618a78dcbdadf8647272d7a2d6bca86e9eff7af2414f63edba317a3a9268

SHA512
5506d788ae3a5f1f868b2fed6a12352cdf23ecdfafd2c52a3a276a047a937f917acca4fee51ce39e013c8db67fad46b6a8870da4fc412d343dac6c9bbf018b97

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
89KB

MD5
a8e6107ea2da1c21c51581210411cb29

SHA1
b2e84c5b30e30d4c5e5174bb746a017b13bbe68a

SHA256
f1d737c9634030abe88ab5b64f115f16df53f81a7d269fc73a8afc1acf6088ea

SHA512
fc7f34c978c74ec80a0c21698b1c9134c5d25b800d8587859454928992f15b113c77b67b9a63bc7da9580230a437fd7ee27f240c15a78b7150d5ad0f9a3a1bd9

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
89KB

MD5
c814a83e15c3a2c49d3ecd7186a3ffe6

SHA1
e84b22aa0498a0b9136552e52665ecea1b3bb7a7

SHA256
bf116e3bf4025bdc174f9ff9cfad75b8ab6b630a73c1d66b450533e63641c007

SHA512
e0efa14c59010baf657c457766d6f98eb23374bcb12e3861d8af15f0d04de3c853e5943915566361d982929b7809940d534c07affc991c3ed2cb6de473c12cfd

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
89KB

MD5
7ea2180b617f87d684dd655f7acfbe6c

SHA1
de0187cd3de3429d21ec272182ede024b5886455

SHA256
92120089df8642fd09eb47000ca7b41277f7460ec922f5f48d48283d6e017b43

SHA512
c62699f9dd1dd03be34894ece3fb1912f483f9a7df2a37d71286c16fda96813889dec73756779df87bdea11642a2ccb96e9ad07b01613ca8cecf2a501ad48116

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
89KB

MD5
78f6409a0a2b77d2e37857094c2121d2

SHA1
9ae7f5278028627d4fc3d2c1a278f4cd294814a5

SHA256
257c680472d3be57a85376f3b932cd11aa08128757b4836249723305d5282edf

SHA512
23f486237e2f593d0c12c8ae788d9748791c72da0596cf2dfe90c3bcffce2b38499cd5d4d8f78388ed7e59436b900dd08d18951a719cf890a9f594ad827e81dc

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
89KB

MD5
d790898e1dbeb037193f5a809f92d569

SHA1
1384091a8d3a48546576e79987ea43f71e51576f

SHA256
384ca0d119595269c66597ed7b71aede937475faddf70ad74d727b6103b1ab57

SHA512
09759fd602672d39669ee6bd5f3c3c91392307f560d67b7d9ebcfdbaacfca41fed077e92220e1a4ab621af04d0283672f96195eeb655b04c349706c62ac1a919

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
89KB

MD5
02c32131b672b2dc58b68d26ca887768

SHA1
965b8226785e89325596bc579d5b0b7319db2130

SHA256
2fb97aa1b982735d620cab50e9003f79c5634ee7bbf6961773ff46f9aa8968bc

SHA512
e97d835126d184df086a6d6adf08c8bb7b343bbfa989090ebb1109ddfaf8a7e7c0ed76288e21b2a927623c3696e4c40b0b487bb293c76bf6eeff8bf704ee8118

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
903941c74b2b295b5ef5751b5d7e4d59

SHA1
49f22a14b430c577c40cf99c243fd739318c504d

SHA256
6d56de35b658e71140385bb5f3e1fdbc388afe694035c2b6c87ded539dbb85d7

SHA512
4ea28dfeb8dbb01c3d82147146caa76c569e1a75388f5f7b63a632bf991224982aa256ac72a4127bd36c331f08b9dcc4fe121214ebcf30d5492bf457dfb5fdb5

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
ea1bb82a8b4b8f47bc417ed1f5cf0d0f

SHA1
72239ea65a7d78ee4d2c7acd7601153caba994f6

SHA256
a923ab5e28b8a85deaf5ce4717e64199d58ccfac7b6316ea9556f00dbf538650

SHA512
a2b905e9634660197801abdff52b591a52941edffbd6ad3e5845c7f8f44f16aba7bf84483fab95392ade8f0f8cced7e8d7af6445135d6fc5b3df98147dedd8bf

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
89KB

MD5
74b5021114bbe983882c672c547bc156

SHA1
6a177374ebd732d4714a81bf65aaee8af6d260a0

SHA256
cba378312d92763942957684ff05cb55b2672207ae14d63399a0bf2c1a72030b

SHA512
fe61117ef4cea608b3325a8e21e3f293d8d3d0c09b0bc852374d619a82c682af834dbd5ac8a443e47632590cd5fedad9c3d556e0c6e7c880e6b42febed1e87be

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
89KB

MD5
ecbd76410561289e26109de69f2410e6

SHA1
a7a4855d2637099b1a4a0ee3f38fbfa85cc5409d

SHA256
d30d7c0d76b7a18081d781c2dbac600a3f8c4fbaa568cccb20da39e1cb914a61

SHA512
5a996b3faa0c486cec31c9ae63fe57b496d916078dbf1fe07fc67843dcec87b372b5a3903cdf121770341e248875602e54fd70df8404ce59d2eaaf1963023d70

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
89KB

MD5
208caa2ba1c69fead6cb0c8ad461fe8d

SHA1
7d8f6e9c7e63008bb68a252f948c6bfac9a944a2

SHA256
b631e5e02c739715e5ae81bf431d58afbfaf620fa35c4fdab7b9770ccaa54dce

SHA512
7afa72fce47f8cade065d0adb046fa0cc6b979105ef5f7c271e40b94d7e773e5cae66a10e668c9bd0086b9d488b703c8405ec352b6e9b1034c5dbf46e080ec2e

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
89KB

MD5
8e07e4ebed6637213bd0617bed56c949

SHA1
94bbf142fc226cbb0a2d2f95a8849a7d6c248c14

SHA256
3eea54c397d4d59963f55e543a2de959c96db46a1859cffffcafb22176e9875b

SHA512
346e2a901dc9ce531652ef601ebf8ef0b1068a1ba31492bb22430925011e423042b002df4a7aef95cb19d18d1685dc2f6daaeaf10654a365654df65fe271af58

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
89KB

MD5
9766f50d967aca1302598376482d1a75

SHA1
13bc89e364866a1d4a181a9817342b46c0be4ea0

SHA256
3d4aed92ba714e072ced4058b4cd250276916ffbbb55481977192b055d3c492a

SHA512
212469468a3aba5e7d05c8df73009b06048dd3e1adb37622109be865ef927c4b35a67c4139e753d9a45a7dde89d953eab917bea4d529e57f2edeb4cb27338bf1

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
89KB

MD5
8b38b85d2b626838280a0ef807e4c38f

SHA1
06b939ecc21f9170c8231047d25b4755e8d9bdad

SHA256
f6593b8660aa38226859002aa86079184c397078b8877240f2befbe7549ec8d1

SHA512
cdaf970ff3469be56962fd9d48109c646aba3dcc36a1dc99d90f5c84841967899b62a07f8b1e68686e6fb74b6decf3708eb2fc7afc032939bf2aa924d204cddb

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
89KB

MD5
b67003ce2bf5f0e2269de676d2bac715

SHA1
3a8d5dbf19e97d8dfb66bfe5f66234018197f3df

SHA256
df18c1950f1d84bf5d6aa0034368a5ebb04a29121c56c3240d3983cfac5516be

SHA512
d020dc83fcf2950956960bb253f5bfea6495782d91dffd8803f51a35da2f5dcc4a9d8a2791c7bb0ee7b876e6fa7f28281cc334aef2050a80d25aa03fed022c38

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
89KB

MD5
16601645a27cd9df8a42f47ebc1d850c

SHA1
d8091a5b2317946267c33084ce789220979335dc

SHA256
8ff0b7167cbea465c3301250c3a50e2ce75657fd0889ba772a5f6e25d730f0f0

SHA512
43408996bc8814287f179ae269ec99d2a49bd7c25c605ab7cc3e887b71a1479e86aa27ea35cc6bb9564cf7701482b5a5a9e3d323fa0b5b30b11450682cae8faa

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
89KB

MD5
ec7f12335adf34f8058ffc6aa29dc239

SHA1
63de01012f4948cd83fbbaaf983418164e292165

SHA256
900aa6fa64caf4ba169f7280695aac671a4e4095392c44e169e25df42fb692ee

SHA512
e3f039a212dea4f8dcbedf4e72449a5d31b22aa9a66777b18c559c663e5f718d5172a39ca0750697ddafbde68a70c63e67bf8b4bc5803e89fab35531fc138b9d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
89KB

MD5
5eb773f21ae5bbea07ece0c12cd3c179

SHA1
ad0493ee679e8e7ef6c5dafe4284d9b89809cc85

SHA256
908ae9810905441c2ff0c844b4cccfa069c8ba7ba23b2a84d948966369664734

SHA512
000b78a97b8f84ce51ac251620ca5f3bde72c4586af8af895a83a407d8ed197722f928caa7c42a4d6be4511f6f167a58a59ef615ed31d358642c943f1277a15e

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
89KB

MD5
6f38c2e54d487067a62d9dd2e81fa337

SHA1
030251018ed828ea96a6fe14f0d244b2c90b2b83

SHA256
c4272ccc6dc7f01a76595189d265680767506a67736c9587c0e51466c67d16a4

SHA512
314179d76a38429946ea098b43243bf1b0de4ba542f5033c6e7cb8f3b99f937533ac8a2ce6b7e060d57b193456563a9e9378d8d0541c73aa80f49aaa1f221501

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
89KB

MD5
18e844f537bce0c12f7f3b2a7b03bd04

SHA1
78aa1642b3082d12b97bd69c935302bcd1b34d14

SHA256
e9f5125934ffdd4c49ca87ec4053267303b245ad7b8e3f7c4a0218c6e01def96

SHA512
b4272c020cbbd9d24338e5cbec265c5899bb5ddd1a48ef8ab35e5ada93a887f39acaaa79c10d834c6526c5498f90b8692ecea413fcc3bab258374c343aa1ca99

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
89KB

MD5
360fb876f79ec2e5676d695a52f9afe2

SHA1
cfb31704e201e4111db7b75610b3027c467ed871

SHA256
905c58cb1807099ce0cd51a5104c11bb792c0af79950d44e8513f8ec077469f7

SHA512
b6cdc9f01031d8972514ecbb5ecc6797515b55dc539823d78617bebf8a1692155d493721292b15bdb158d5f39a4fb535f3f6172fc4195177f8237159de4ba733

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
89KB

MD5
4a0ebff33872ad81504c21e127b87b18

SHA1
b6d31d163f4b634212fbd44ef08d27124a649e59

SHA256
ec14fda221c81d036cf5dcba7aff376400b595106d751745a7f14505d55126cd

SHA512
148db65ce7fff77fde06a528dd6e05616141ca00b2c4268f168b4c1e43e42c9991deb10d792825f32a594afc1eab75d5c30400c59e922b4e5ca304696c0f597b

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
89KB

MD5
40287f50661a56d90602ecc9036ecb03

SHA1
92a58d4f08955e09bc87f3853f7dd89efd2c97ed

SHA256
4ea533fa6cf863ed34c36ae265d203ee3e1151208b619e0885210c1da6804e5c

SHA512
b252ef585ebc057ffe199917100dc58aef33e7f13646e53f51fe639ee8297ace54cb2b6f7a5ef9c49348e693ad3dce2a6525a26b52a94f6cf6ea45ded8a5cbe0

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
89KB

MD5
abe8b811dc83bdb9caf317d58f599b1f

SHA1
73a95a0dbded45ad145bb5edf8f4e86bfe5a8fba

SHA256
8db352bb6a2a71c714248c063c93bae93a272afab653c72495e3ab2f61a160e5

SHA512
3419d6d50704bec0fc0bacb35abd1be24478a6b23c3c8f45bddffd26b330bd24be1be6c5fa8f87272920b36e90fb1014e7a4b4b000f2f92e279a5a45d3bdd2ab

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
89KB

MD5
6adf36a770a6b527b8c0a5a2447acdf4

SHA1
5b1abf7f568e95539a9d4f1b9243bd4493c1c089

SHA256
746b6ce481002bab318cf97e01100894ba3713b9bd6d8a7d17b624617ed72f6e

SHA512
5f50c4b8aa3b71be9e3f298d8ae10ee68fc76070fb84f2807a5177484de04d02c83ca88b92c567dc604c6cad40a0fddcae0e57ef9e0b83dfa7d64289e7ec63d9

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
89KB

MD5
52d5449628d0b9e1c185d699c8f7c88e

SHA1
7e1101014a52fb730a6e808f73b06ad95d4720bc

SHA256
5a9ffd55d77b75654a126a48926d1b5a01616907a9121401ca87704782687e82

SHA512
88faae53082a6d81a651cb35d292cfb0c4ee7e7207250bfa85d528b6f8f2558be9347dd58874d819bbf9d04377d33e46e7813cb6b1849f609a4ccb2d2fc0e5c1

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
89KB

MD5
324a3274b50e98f240da551a2dae45a8

SHA1
16ce4064ea2fef1e2d26a1ff2fe8eeba95688624

SHA256
94092314822a49c5a70745ad2a07ee54d29166b62bf02da7aee933abdc8fdea3

SHA512
d49cc2ecc0e8cd22ac5398aea53a12ab47902c32775b8d544c47d56a7f16a7b62dbde9a6752065f444237ea3d6a7217a0fb51ef872b0951c9565a644704e6102

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
89KB

MD5
1edd6b15f2221e9c9e9e391e54b455a6

SHA1
95a0e866bbd4715c52ca980086f3781dde496e7e

SHA256
4e1f7416039cfa8a2812134eaed18dba9dd9012eaeab6c19ba2b838f59bae50f

SHA512
31724b79185968f681d13b5e838012c2c0587c72eeb2d089c40e74ea8a5c6df6dd48e33473d1f29a11af0589afcc032cee5be0b2ec37ee4b149ef29f6a4d2252

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
89KB

MD5
75b207a509f8391e18b6c487c5a54f20

SHA1
908bf969f01a6e4f4e3b98b9f6d42d797e941c67

SHA256
c6a609445cf8006becb2c9c5e764b3947a6d3f91a69d5d824bf2aa704125d5fa

SHA512
923e33ef4c378f529bd3b0eb96f8ed1bd31ba2881edeeaedf4b94e52ee0874f42e94ce2fbf11672b6277f51850ab1b88af0f6716f1943c0ef56133d1e5eb0726

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
89KB

MD5
cebc3fda4347021d39db6c72a8fea397

SHA1
b6bd17351801ef679505da4b484f2e644e7a8047

SHA256
df67877dd2985d2c6dab55f90ce07d9c75c5af63098bc469ed8caa3d22309f6f

SHA512
2ac93978f1a9df90540c7b3d14cb780d3ae6c4d05b5ce9f9f252d6963d1cb8d951461985c49011cf988c5aceb76f99afa5a2b4f7a8898db8e49e5fa50b0f05d8

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
89KB

MD5
bc743626f03de9852d7254244453636c

SHA1
5c5ef90686dc2e8831b29241ad7672ef4e71cca3

SHA256
c1d6e5ca0345f6852300c1a4432b561fd0b9f6616a301af8ed4cfe45c3087a37

SHA512
7b62d191f86f023f6300ba550f2d3727e22f1e9a3aa3e7bd09b66f46d8753b02c1e4af8be42146278714743022216d56b1fbad352382fefae8edeb0957f0fb43

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
89KB

MD5
af9017fa7319fe506004ace4e5901cdf

SHA1
a8960af484d7ecc53eecb054cf41ab49a23e5de2

SHA256
a51d01de21e88325096686151bc3fb526d49ec32854227dc73fc381785319592

SHA512
3dcfa292912f736802391f5a4959a51a2bdb8ca51f5028ae50ed6ccd41bce3edd291d348aa54c41051dfc061383259e442cb3f0ac9f1b9d57c0360c933cd84ad

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
89KB

MD5
a1d2bcec9aa97c953ab6cc93eaed6582

SHA1
cedc3bf1194394a1a5b1614ee31140c99aa64851

SHA256
d09d83735c38123267d2d96a9556db798b68058a8ad6698d4b8862bf2b43945b

SHA512
aebacff9c767fb2e76d1226d5b5e33c69c8eea9484958faae498629c68b3f197cfd781a80f4938c907338c1066206fb7e4eaa68ed5ea5583afd51f06899784e8

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
89KB

MD5
d8e7190e448f2180e1209454130c43ad

SHA1
cf532744dc3dca70dda76de2b23e3aab5389f968

SHA256
98f29d4b7b100cec94eeb48c99367539c47579fa900b1424d708109c5d9e2ce6

SHA512
dcf0313bbb1cbb7972603cd2b20da2659c1da0fd7ece4783c44b5442d1ed81a01975f6069a259e2fe42e686704a0591bc81a2f629e330039450a6673d1853734

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
89KB

MD5
367a4dda89a509b97ecea8cd394e877a

SHA1
05783770608baca12419996fcd140a2c47a0a21e

SHA256
a2a5ec031fafc162408066e297219a60f8bf47814bd78a9b3d08458b046331b7

SHA512
a89968c92abfc0e86d91c5ba55afd1c1207e3e36b2a1f32c515b6ff663e304f38b8bc0b13f073a5482a47170a400a27a069879adc44d802bdbfc65110593aa67

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
89KB

MD5
19f135baa290085cb2375e6e31168319

SHA1
aa2f1e7a3ea2763682593dfa7a98415d9e535b7d

SHA256
a67b36431eeee1570c0a06917c249e8602609f8a3f5b800b2887516984878a5f

SHA512
c56ce5161389e8b512cb29f72e23f54029b7909de05bded675302e38726cee99941a9a14199c4f2924467b98fa6444e8ce91626f8800f4a27d591324bcc8e3b9

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
89KB

MD5
3f3de245b1d27c1262b51783f2cc1868

SHA1
62eb01d3dc437e6af66a2a26efb1823a475781a9

SHA256
4b97a9b1532c3949f52a54c658c9c918ddba1f37263d76b82b04e5f2fd97644a

SHA512
d62337595e8f28a80ea6b497f4c42bb67d2f80addebb030c3e6f2a7c61d003314dc05a9acb253b06ca0f348345bc8061dde1bce1a9587c405d61e38ff1398114

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
89KB

MD5
bea36522cd87cf10d2d6eaa7448f8d86

SHA1
5d712b40808b030f16751142826d5a927ce77fcd

SHA256
30e681a49a7c849f7f6933115de1cbccbe6c6e76f0e63c1af770c5845555e6c1

SHA512
e202f1b0ed91be2031fda512791e0c3c6d8ed0c5c49102289605e95ab53e484fcc81ee9ac6e9de8eedf7d42d6442d447cd3a59085345f04d7b94fe03349c720d

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
89KB

MD5
dc7c1950c130a2b8eb3d0405a4c162cf

SHA1
816f41d11ad855de791d02c40408d7168b8cb5ba

SHA256
a2eb0534adadfc636cdc2e4a2c75ac6c3a68dde09f6f2ed2a0896f015732aec1

SHA512
37913e86b0e13bfe11e580d2fc2a14e01db36c5bac0f292a66d7322818e656754c1daaebd7e94df636aa8c6a66571fdadf31c2e8b759e4455fa5f5c88644fb08

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
89KB

MD5
53216aa7280c1a8a8dafa84eb8cac081

SHA1
603d3233f0fffa22f0558b8f3af01116898b1d58

SHA256
2d5fa80c35fde25e8313f5cef01826ddf1cb86f3654c1039d0c92350bfb51685

SHA512
682639772321afcfc2b868f59ef4a53187d57331c0e3abac582f15565498830948a84252537945db45bb46f902a2b38fa00aeb3184882bb77cf0434d6bc7cc44

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
89KB

MD5
ccbee3bd432bf53327f6a0ef7c12a3be

SHA1
0fdbbbb12ba2772aa9e1e95eb397bdd73a2f3360

SHA256
1c58b52535f299c61eecfef26e601348c961d24f2672b831ea714b7d7f1ee056

SHA512
a95caa0c7670ad9589a7fbe96071d7bb568e3c78716eebca1cea73234688824ba5114197a73aed275102eda820f521dbbdb6aaf53315a6384a03ec298beb3687

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
89KB

MD5
a10bef467eed3b4b675edd55d7f5de05

SHA1
273a2110a8e4450a5c255f50791330fcf455d219

SHA256
cdd1775ed614f1e6f6f13cc50a8bb1a164e8ca1fe72b35969157ee1c35697350

SHA512
ae996e31bb30e0a44e577c03404e6685f3b0691c89ef04c04ed2f1e834c6604c5dbde95298b3cee8c785c84656ae11a807c0e18ddbc555e583364d7fc10b8882

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
89KB

MD5
95850ad9e71af05973496ef02a91e036

SHA1
0164d3daa9831b92ca1b290ac4540c38b32a7947

SHA256
afcdbe1965241f4ac52f3dbea261da5e284d2650a6e36d86ab9c803ee84dc7af

SHA512
e674bcb2393b8c9669a8983b2616cbc26add623b2148b5cb0307e00eeb8f5611de3fb53065f70626325255207bffeab3d5a714331241fecc2f2ce81dde807cd8

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
89KB

MD5
3b7a95f9b21a70e5b231758a66e1a0f9

SHA1
8a20f4c8e1e5df23285c3a2bec81dc18ca970a0d

SHA256
02a439e14305adb885fd55b5f05fafca0d8458dd609cf2b479f3323f22bdb0fd

SHA512
a31d06916d804ec1cc7feda45ffb97e98525fd5145bce9fed460ea3bdbb4a12aa35787e528f728019206b5df11c2a6fd1dcb2fb1072300380e86c5a65607dd58

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
89KB

MD5
f14e5b70ee8cdbb323d1d5e0d661803e

SHA1
96554aed6376239a71baedb3f51e5e96d5ad3d77

SHA256
4a8934d8aaa124c3a5348b7050150a227a308aa65d7293b0a15bf784bd1d2fe5

SHA512
bebd2ee171d395a0a121214389c1897cf24542c9fe701f3d7e14b98a112cb94c30718d1f3d21a48a9d091e780badcc4b0aef4af4b698ffc5de80e9d8baa61732

Download Submit
memory/208-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/360-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/804-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/836-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/904-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2220-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3300-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4292-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4328-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5072-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads